How do I configure a CA?

How do I configure a CA?

[Tassilo Horn]

Hi all,

yesterday, I've received a mail with

--8<---------------cut here---------------start------------->8---
Content-Type: application/pkcs7-mime;
	smime-type=signed-data;
	name="smime.p7m"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7m"
--8<---------------cut here---------------end--------------->8---

When trying to open it, Gnus asked me if I want to decryt it (Decrypt
(S/MIME) part? (y or n)).  I answered `y', but then I got (error "No CA
configured"), and the raw mail was displayed.

So how do I configure a CA?

Bye,
Tassilo

Re: How do I configure a CA?

[David Engster]

Tassilo Horn writes:
> yesterday, I've received a mail with
>
> Content-Type: application/pkcs7-mime;
> 	smime-type=signed-data;
> 	name="smime.p7m"
> Content-Transfer-Encoding: base64
> Content-Disposition: attachment;
> 	filename="smime.p7m"
>
> When trying to open it, Gnus asked me if I want to decryt it (Decrypt
> (S/MIME) part? (y or n)).  I answered `y', but then I got (error "No CA
> configured"), and the raw mail was displayed.
>
> So how do I configure a CA?

S/MIME decryption in Gnus is currently only done with openssl. I've
written up the configuration a while ago on the EmacsWiki:

http://www.emacswiki.org/emacs/GnusSMIME

However, nowadays I use gpgsm from GnuPG v2, which is much easier to
configure and is supported through the excellent EPG. I've posted a
patch to enable S/MIME decryption through EPG a while ago; see

http://thread.gmane.org/gmane.emacs.gnus.general/69837/focus=69845

for details.

-David

Re: How do I configure a CA?

[David Engster]

David Engster writes:
> configure and is supported through the excellent EPG. I've posted a
> patch to enable S/MIME decryption through EPG a while ago; see
>
> http://thread.gmane.org/gmane.emacs.gnus.general/69837/focus=69845

Erm, the patch is here:

http://thread.gmane.org/gmane.emacs.gnus.general/69837/focus=69840

-David

Re: How do I configure a CA?

[Tassilo Horn]

David Engster <deng@randomsample.de> writes:

Hi David,

ok, if OpenSSL is too much a hassle and EPA is better anyways, I won't
try that out. :-)

>> configure and is supported through the excellent EPG. I've posted a
>> patch to enable S/MIME decryption through EPG a while ago; see
>>
>> http://thread.gmane.org/gmane.emacs.gnus.general/69837/focus=69845
>
> Erm, the patch is here:
>
> http://thread.gmane.org/gmane.emacs.gnus.general/69837/focus=69840

Hm, it doesn't apply cleanly agains the current Gnus HEAD.  But when I
find some spare time I'll try to setup EPA and apply your patch
manually.

Bye,
Tassilo

Re: How do I configure a CA?

[Lars Magne Ingebrigtsen]

David Engster <deng@randomsample.de> writes:

> Erm, the patch is here:
>
> http://thread.gmane.org/gmane.emacs.gnus.general/69837/focus=69840

Was there any particular reason the patch wasn't applied?  I know
absolutely zero about S/MIME/EPG/etc...

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: How do I configure a CA?

[David Engster]

[-- Attachment #1: Type: text/plain, Size: 814 bytes --]

Tassilo Horn writes:
> David Engster <deng@randomsample.de> writes:
>
> Hi David,
>
> ok, if OpenSSL is too much a hassle and EPA is better anyways, I won't
> try that out. :-)
>
>>> configure and is supported through the excellent EPG. I've posted a
>>> patch to enable S/MIME decryption through EPG a while ago; see
>>>
>>> http://thread.gmane.org/gmane.emacs.gnus.general/69837/focus=69845
>>
>> Erm, the patch is here:
>>
>> http://thread.gmane.org/gmane.emacs.gnus.general/69837/focus=69840
>
> Hm, it doesn't apply cleanly agains the current Gnus HEAD.  But when I
> find some spare time I'll try to setup EPA and apply your patch
> manually.

I attached an updated version. BTW, Daiki Ueno also wrote a short
tutorial on how to setup gpgsm:

http://article.gmane.org/gmane.emacs.gnus.general/67400

-David


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #2: smime-decrypt-epg.patch --]
[-- Type: text/x-patch, Size: 1346 bytes --]

diff --git a/lisp/mm-view.el b/lisp/mm-view.el
index 083781b..f097a2f 100644
--- a/lisp/mm-view.el
+++ b/lisp/mm-view.el
@@ -683,17 +683,23 @@
 (defun mm-view-pkcs7-decrypt (handle &optional from)
   (insert-buffer-substring (mm-handle-buffer handle))
   (goto-char (point-min))
-  (insert "MIME-Version: 1.0\n")
-  (mm-insert-headers "application/pkcs7-mime" "base64" "smime.p7m")
-  (smime-decrypt-region
-   (point-min) (point-max)
-   (if (= (length smime-keys) 1)
-       (cadar smime-keys)
-     (smime-get-key-by-email
-      (gnus-completing-read
-       "Decipher using key"
-       smime-keys nil nil nil (car-safe (car-safe smime-keys)))))
-   from)
+  (if (eq mml-smime-use 'epg)
+      ;; Use EPG/gpgsm
+      (let ((part (base64-decode-string (buffer-string))))
+	(erase-buffer)
+	(insert (epg-decrypt-string (epg-make-context 'CMS) part)))
+    ;; Use openssl
+    (insert "MIME-Version: 1.0\n")
+    (mm-insert-headers "application/pkcs7-mime" "base64" "smime.p7m")
+    (smime-decrypt-region
+     (point-min) (point-max)
+     (if (= (length smime-keys) 1)
+	 (cadar smime-keys)
+       (smime-get-key-by-email
+	(gnus-completing-read
+	 "Decipher using key"
+	 smime-keys nil nil nil (car-safe (car-safe smime-keys)))))
+     from))
   (goto-char (point-min))
   (while (search-forward "\r\n" nil t)
     (replace-match "\n"))

Re: How do I configure a CA?

[David Engster]

Lars Magne Ingebrigtsen writes:
> David Engster <deng@randomsample.de> writes:
>
>> Erm, the patch is here:
>>
>> http://thread.gmane.org/gmane.emacs.gnus.general/69837/focus=69840
>
> Was there any particular reason the patch wasn't applied?  I know
> absolutely zero about S/MIME/EPG/etc...

No particular reason, just lack of feedback. As I wrote in the above
post, I'm not sure mm-view is the right place to add this.

-David

Re: How do I configure a CA?

[Tassilo Horn]

David Engster <deng@randomsample.de> writes:

>>> Erm, the patch is here:
>>>
>>> http://thread.gmane.org/gmane.emacs.gnus.general/69837/focus=69840
>>
>> Was there any particular reason the patch wasn't applied?  I know
>> absolutely zero about S/MIME/EPG/etc...
>
> No particular reason, just lack of feedback. As I wrote in the above
> post, I'm not sure mm-view is the right place to add this.

Then you should ask mm-view.el's author.  It is some guy called Lars
Magne Ingebrigtsen. ;-)

SCNR,
Tassilo

Re: How do I configure a CA?

[Lars Magne Ingebrigtsen]

Tassilo Horn <tassilo@member.fsf.org> writes:

> Then you should ask mm-view.el's author.  It is some guy called Lars
> Magne Ingebrigtsen. ;-)

Eek!

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: How do I configure a CA?

[Lars Magne Ingebrigtsen]

David Engster <deng@randomsample.de> writes:

> I attached an updated version. BTW, Daiki Ueno also wrote a short
> tutorial on how to setup gpgsm:
>
> http://article.gmane.org/gmane.emacs.gnus.general/67400

The code looks good to me.  Could you supply a .texi entry (and a
ChangeLog entry), and I'll apply it?

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: How do I configure a CA?

[David Engster]

Tassilo Horn writes:
> David Engster <deng@randomsample.de> writes:
>
>>>> Erm, the patch is here:
>>>>
>>>> http://thread.gmane.org/gmane.emacs.gnus.general/69837/focus=69840
>>>
>>> Was there any particular reason the patch wasn't applied?  I know
>>> absolutely zero about S/MIME/EPG/etc...
>>
>> No particular reason, just lack of feedback. As I wrote in the above
>> post, I'm not sure mm-view is the right place to add this.
>
> Then you should ask mm-view.el's author.  It is some guy called Lars
> Magne Ingebrigtsen. ;-)

I have it on good authority that this guy knows absolutely zero about
S/MIME/EPG/etc. :-)

-David

Re: How do I configure a CA?

[David Engster]

Lars Magne Ingebrigtsen writes:
> David Engster <deng@randomsample.de> writes:
>
>> I attached an updated version. BTW, Daiki Ueno also wrote a short
>> tutorial on how to setup gpgsm:
>>
>> http://article.gmane.org/gmane.emacs.gnus.general/67400
>
> The code looks good to me.  Could you supply a .texi entry (and a
> ChangeLog entry), and I'll apply it?

2010-12-20  David Engster  <deng@eml.cc>

	* mm-view.el: If mml-smime-use is set to 'epg, use EPG to decrypt
	S/MIME messages instead of openssl.

As for the texi entry... what exactly do you have in mind here?
Currently, S/MIME setup isn't really documented at all in Gnus, but the
main part is setting up the external stuff anyway (gpgsm or openssl),
and it's questionable whether that belongs into the Gnus manual.

-David

Re: How do I configure a CA?

[David Engster]

David Engster writes:
> 	* mm-view.el: If mml-smime-use is set to 'epg, use EPG to decrypt
> 	S/MIME messages instead of openssl.

That should read:

	* mm-view.el (mm-view-pkcs7-decrypt): If mml-smime-use is set to 'epg,
	use EPG to decrypt S/MIME messages instead of openssl.

-David

Re: How do I configure a CA?

[Lynbech Christian]

Depending on whether you actually need some fancy S/MIME stuff, you
could try just setting

    (setq smime-certificate-directory (concat nnml-directory "certs/")
          smime-CA-directory nil
          smime-CA-file "/usr/share/qca/certs/rootcerts.pem")

I need to ignore some error/warning messages but for the some signed
mails I have been getting lately I am at least able to see the contents.

The CA-file probably needs to exist but you should be able to find a pem
file somewhere on your system.


------------------------+-----------------------------------------------------
Christian Lynbech       | christian #\@ defun #\. dk
------------------------+-----------------------------------------------------
Hit the philistines three times over the head with the Elisp reference manual.
                                        - petonic@hal.com (Michael A. Petonic)

Re: How do I configure a CA?

[Tassilo Horn]

Lynbech Christian <christian.lynbech@tieto.com> writes:

Hi Christian,

> Depending on whether you actually need some fancy S/MIME stuff, you
> could try just setting
>
>     (setq smime-certificate-directory (concat nnml-directory "certs/")
>           smime-CA-directory nil
>           smime-CA-file "/usr/share/qca/certs/rootcerts.pem")

Hey, cool.  After setting

(setq smime-certificate-directory (expand-file-name "certs" gnus-home-directory)
      ;; openssl certificates
      smime-CA-directory "/etc/ssl/certs"
      ;; Uni Koblenz root certificate
      smime-CA-file "~/.certs/g_rootcert.crt")

I'm able to view that one mail, and I even don't get any warnings.

Thanks a lot,
Tassilo

Re: How do I configure a CA?

[Tassilo Horn]

David Engster <deng@randomsample.de> writes:

Hi David,

>>>> Was there any particular reason the patch wasn't applied?  I know
>>>> absolutely zero about S/MIME/EPG/etc...
>>>
>>> No particular reason, just lack of feedback. As I wrote in the above
>>> post, I'm not sure mm-view is the right place to add this.
>>
>> Then you should ask mm-view.el's author.  It is some guy called Lars
>> Magne Ingebrigtsen. ;-)
>
> I have it on good authority that this guy knows absolutely zero about
> S/MIME/EPG/etc. :-)

And I have it on good authority that this guy also applies patches he
knows absolutely zero about.  Awesome guy! :-)

Bye,
Tassilo

And to make it even funnier:

Sent from my Emacs

Re: How do I configure a CA?

[David Engster]

Tassilo Horn writes:
> Lynbech Christian <christian.lynbech@tieto.com> writes:
>
> Hi Christian,
>
>> Depending on whether you actually need some fancy S/MIME stuff, you
>> could try just setting
>>
>>     (setq smime-certificate-directory (concat nnml-directory "certs/")
>>           smime-CA-directory nil
>>           smime-CA-file "/usr/share/qca/certs/rootcerts.pem")
>
> Hey, cool.  After setting
>
> (setq smime-certificate-directory (expand-file-name "certs" gnus-home-directory)
>       ;; openssl certificates
>       smime-CA-directory "/etc/ssl/certs"
>       ;; Uni Koblenz root certificate
>       smime-CA-file "~/.certs/g_rootcert.crt")
>
> I'm able to view that one mail, and I even don't get any warnings.

Ah. I just realized that your message was not really encrypted, but just
signed. Then the openssl setup is indeed much easier. The message "Decrypt
(S/MIME) part?" is - while technically correct - rather misleading.

-David

Re: How do I configure a CA?

[Ted Zlatanov]

On Mon, 20 Dec 2010 22:32:05 +0100 David Engster <deng@randomsample.de> wrote: 

DE> David Engster writes:
>> * mm-view.el: If mml-smime-use is set to 'epg, use EPG to decrypt
>> S/MIME messages instead of openssl.

DE> That should read:

DE> 	* mm-view.el (mm-view-pkcs7-decrypt): If mml-smime-use is set to 'epg,
DE> 	use EPG to decrypt S/MIME messages instead of openssl.

Will that Just Work?  And if so, can it be (if it's not already) the default?

Ted

Re: How do I configure a CA?

[Lars Magne Ingebrigtsen]

David Engster <deng@randomsample.de> writes:

> 2010-12-20  David Engster  <deng@eml.cc>
>
> 	* mm-view.el: If mml-smime-use is set to 'epg, use EPG to decrypt
> 	S/MIME messages instead of openssl.
>
> As for the texi entry... what exactly do you have in mind here?
> Currently, S/MIME setup isn't really documented at all in Gnus, but the
> main part is setting up the external stuff anyway (gpgsm or openssl),
> and it's questionable whether that belongs into the Gnus manual.

True.  So I've just applied the patch.

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: How do I configure a CA?

[Lars Magne Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> DE> 	* mm-view.el (mm-view-pkcs7-decrypt): If mml-smime-use is set to 'epg,
> DE> 	use EPG to decrypt S/MIME messages instead of openssl.
>
> Will that Just Work?  And if so, can it be (if it's not already) the default?

Good question.  And `mml-smime-use' is an undocumented variable, which
should perhaps then be turned into a defcustom, and given defaults
depending on whether you have openssl or epg (whatever that is :-)
installed? 

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: How do I configure a CA?

[Ted Zlatanov]

On Sun, 02 Jan 2011 08:05:02 +0100 Lars Magne Ingebrigtsen <larsi@gnus.org> wrote: 

LMI> Ted Zlatanov <tzz@lifelogs.com> writes:
DE> * mm-view.el (mm-view-pkcs7-decrypt): If mml-smime-use is set to 'epg,
DE> use EPG to decrypt S/MIME messages instead of openssl.
>> 
>> Will that Just Work?  And if so, can it be (if it's not already) the default?

LMI> Good question.  And `mml-smime-use' is an undocumented variable, which
LMI> should perhaps then be turned into a defcustom, and given defaults
LMI> depending on whether you have openssl or epg (whatever that is :-)
LMI> installed? 

Thank you for volunteering :)

(but I'll do it if you want, it's no big deal)

Ted

Re: How do I configure a CA?

[Ted Zlatanov]

On Mon, 20 Dec 2010 18:03:29 +0100 Tassilo Horn <tassilo@member.fsf.org> wrote: 

TH> ok, if OpenSSL is too much a hassle and EPA is better anyways, I won't
TH> try that out. :-)

This brings up an issue related to the GnuTLS support in Emacs and Gnus:
is there a difference between the CAs bundled with EPA/EPG (which
eventually delegates to GPG, I think) and OpenSSL (which has its own
list)?

I ask because I eventually have to build a list of CAs for Emacs' GnuTLS
support so it can verify certificates.  I'd like that list to be
consistent with EPA/EPG, but does that sacrifice some security or
inconvenience users?

Ted

Re: How do I configure a CA?

[Lars Ingebrigtsen]

Ted Zlatanov <tzz@lifelogs.com> writes:

> (but I'll do it if you want, it's no big deal)

Go ahead.  :-)

-- 
(domestic pets only, the antidote for overdose, milk.)
  larsi@gnus.org * Lars Magne Ingebrigtsen

Re: How do I configure a CA?

[Ted Zlatanov]

On Sat, 22 Jan 2011 04:05:57 +0100 Lars Ingebrigtsen <larsi@gnus.org> wrote: 

LI> Ted Zlatanov <tzz@lifelogs.com> writes:
>> (but I'll do it if you want, it's no big deal)

LI> Go ahead.  :-)

I've gone ahead.  I use (featurep 'epg) which is not as strong as
defaulting to 'epg and will fail if EPG is loaded later.

Ted

Call to arms: IETF are trespassing on our turf.

[Lynbech Christian]

Well, one episode (http://tools.ietf.org/wg/lisp/) could have been
excused as a mistake, but now it has happened again, even closer to
home, somebody should do something:

    Diagnostic Interplanetary Network Gateway (DING) protocol
    http://tools.ietf.org/html/draft-irtf-dtnrg-ding-network-management-02

:-)


------------------------+-----------------------------------------------------
Christian Lynbech       | christian #\@ defun #\. dk
------------------------+-----------------------------------------------------
Hit the philistines three times over the head with the Elisp reference manual.
                                        - petonic@hal.com (Michael A. Petonic)

Re: Call to arms: IETF are trespassing on our turf.

[Ted Zlatanov]

On Mon, 26 Mar 2012 13:34:27 +0200 Lynbech Christian <christian.lynbech@tieto.com> wrote: 

LC> Well, one episode (http://tools.ietf.org/wg/lisp/) could have been
LC> excused as a mistake, but now it has happened again, even closer to
LC> home, somebody should do something:

LC>     Diagnostic Interplanetary Network Gateway (DING) protocol
LC>     http://tools.ietf.org/html/draft-irtf-dtnrg-ding-network-management-02

You can always tell when the name was contorted to give a nice acronym...

Ted